Skip to content

Add option to control AM version, fix CA result parsing#522

Merged
attiasas merged 8 commits intojfrog:masterfrom
attiasas:test_ca
Mar 1, 2026
Merged

Add option to control AM version, fix CA result parsing#522
attiasas merged 8 commits intojfrog:masterfrom
attiasas:test_ca

Conversation

@attiasas
Copy link
Contributor

@attiasas attiasas commented Feb 26, 2026
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.

Configurable Analyzer Manager version and improved CA result parsing

Summary

Add a user-configurable scanner binary (Analyzer Manager) version override in the plugin's Advanced settings, update the default AM version to 1.30.1, and rework Contextual Analysis SARIF output parsing to use a rules-based approach that reads applicability status from rule properties instead of relying on result kind/suppression alone. Informational SARIF results are now filtered out across all scanners.

Changes

  • Configurable AM version: Added scannerBinaryVersion field to ServerConfigImpl (with builder, equals, hashCode), GlobalSettings, and the Advanced tab UI (JFrogGlobalConfiguration.form/.java). The download logic in ScanBinaryExecutor resolves the effective version (user override or default 1.30.1) and re-downloads when the configured version changes.
  • Rules-based CA parsing: ApplicabilityScannerExecutor now overrides parseOutputSarif to determine applicability from rule.properties.applicability (applicable / not_applicable), deduplicates rules (preferring applicable over not_applicable), and creates notApplicable warnings via a new factory method on JFrogSecurityWarning.
  • Filter informational results: Both the base ScanBinaryExecutor.parseOutputSarif and the new CA parser skip results where kind == "informational".
  • PypiScanner fix: Replaced deprecated PyPipEnvPackageManager with PyPackageManager.
  • Bug fix: ServerConfigImpl.equals now uses Objects.equals for externalResourcesRepo (was ==).
  • Misc: Updated plugin verifier to 1.400, added name field to Rule, removed unused artifactoryPublish blocks from test Gradle files, updated tests for the new parsing logic.

Testing

  • Updated ScanBinaryExecutorTest.testSarifParserApplicResultsWithRulesBasedParsing to verify the new rules-based CA parsing (2 results: 1 not-applicable, 1 applicable).

  • Added testSarifParserSkipsInformationalResults with a new secrets_with_informational_output.sarif fixture.

  • Updated Gradle test fixtures and assertions for compatibility.

  • All tests passed. If this feature is not already covered by the tests, I added new tests.

@attiasas attiasas requested a review from a team February 26, 2026 14:03
@attiasas attiasas added new feature Automatically generated release notes safe to test Approve running integration tests on a pull request labels Feb 26, 2026
@jfrog jfrog deleted a comment from github-actions bot Feb 26, 2026
@jfrog jfrog deleted a comment from github-actions bot Mar 1, 2026
@jfrog jfrog deleted a comment from github-actions bot Mar 1, 2026
@jfrog jfrog deleted a comment from github-actions bot Mar 1, 2026
@attiasas attiasas merged commit 6a93352 into jfrog:master Mar 1, 2026
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@meirjfrog meirjfrog meirjfrog approved these changes

Assignees

No one assigned

Labels

new feature Automatically generated release notes safe to test Approve running integration tests on a pull request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@attiasas @meirjfrog